Privacy Terms

LITIDEAL UAB (hereinafter referred to as “LITIDEAL ” or “we”) offers its customers (both natural persons and legal entities (hereinafter referred to as “you”)) a car (hereinafter referred to as the “Car“) rental service, activated and used on our website www.myavis.lt . and on the MyAvis mobile application (the ” Service“).

We pay particular attention to protecting your privacy when we provide services to you and collect and use your data (including your personal data). For this reason, we want you to understand what personal data we collect and how we use it. These privacy terms are intended to give you an overview of how we use your personal data.

Terms and definitions

To make the content of this document easier to understand, we have explained below some of the terms used in it.

GDPR is the General Data Protection Regulation (EU 2016/679), which was implemented on 25 May 2018 and is directly applicable in all European Union Member States.

MyAvis mobile app – an app for smartphones, tablets and/or other mobile devices used to make a reservation, unlock, lock and/or perform other actions in the app.

Personal data means any information which, directly or indirectly, individually or in combination with other available information, identifies a natural person, such as name, email address, IP address, personal identification number, photograph, description, telephone number, etc.

Processing means any operation or combination of operations which may be performed upon personal data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, verification, use, disclosure by transmission, dissemination and otherwise making available, alignment or aggregation, blocking, erasure or destruction.

Data controller – the entity that decides why and how personal data are collected and processed.

Processor – an entity that processes personal data on behalf of the controller.

Terms – the terms and conditions that apply to your use of our services, which can be found at [nuoroda].

1. Data Controller

LITIDEAL UAB

Company code: 111444388

Address: Laisvės pr. 3, Vilnius, Lithuania

E-mail: avisnow@avis.lt

2. Type of personal data collected and processed, purposes of use and grounds for lawful processing

2.1. Services commissioned by natural persons

When you use our services, we collect various types of information. Some of the information is collected from you personally when you register to use the service (Identity Data) or when you give your specific consent for certain uses of the data (Marketing Data), and some of the information is collected automatically when you use the service (Usage Data). We may also obtain information (including personal data) from public sources such as commercial/trade registers, the internet and from third parties such as credit registers in order to carry out an analysis of a legal entity’s history and credit information. We do not analyse the credit information of natural persons (our customers).

For legal entities, we may ask you to provide the name, surname, telephone number and email address of the customer (natural person) who uses and/or is authorised to use the MyAvis mobile app account created on behalf of the relevant legal entity.

Identity data

– Name (first name, surname)

– Mobile phone number

– Email address

– Login details: username and password (the password will be stored in encrypted form and will never be displayed in clear text)

– Driving licence number and date of issue

– Age (up to or over 18 years)

– Name of the legal entity that gave you access to the business account

Purposes and legal basis for processing identity data:

– Creating and accessing a user account, registering a user, and entering into a service agreement (Terms of Service). The legal basis for such use is the conclusion of a contract (Article 6(1)(b) GDPR).

– Service-related communications, such as invoicing, user support, and exchanging information with third-party service providers. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

– Managing our accounts, assets and debts. The legal basis for this use is usually our legitimate interest (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), e.g. to keep accounting records.

– Managing car-related accidents and, if necessary, passing on information to insurance companies. The legal basis for this use is our legitimate interest (Article 6(1)(f) GDPR).

Driving licence details

– Driving licence data (name, surname, expiry date, category) will be processed and stored by a third party service provider, Sumsub, in order to ensure that our customer (a natural person) is entitled to drive the Car. Sumsub is an independent data controller, so please consult its privacy policy on the website https://sumsub.com/privacy-notice-service/

– Information (yes or no) on whether you have a valid driving licence that entitles you to drive certain types of cars.

Purposes and legal basis for processing driving licence data:

– Providing the Services and managing your user account in accordance with the procedures set out in the Terms. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

Payment details

– Payment card data (card issuer, cardholder, card number, card expiry date) will be processed and stored by Stripe, a third-party payment service provider, to process payments and prevent fraud. “Stripe is an independent data controller, so please consult its privacy policy available at www.stripe.com/en-ee/privacy.

– Information about the services you have purchased from us and the payments you have made.

– Information about amounts credited to your company account on the MyAvis mobile app, which you have been authorised to use by a legal person (e.g. your employer), and the balance of your account.

Purposes and legal basis for processing payment data:

– Providing the Services and managing your user account in accordance with the procedures set out in the Terms. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

– Managing our accounts and assets. The legal basis for this use is usually our legitimate interest (Article 6(1)(f) GDPR), but in some cases it may also be our legal obligation (Article 6(1)(c) GDPR), e.g. to keep accounting records.

– Access to funds credited to an account on the MyAvis mobile app that you use as a method of payment for services in accordance with the Terms. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

Data for use

– Your login details

– GPS data

– IP address

– Battery data

– Vehicle systems data

– Speed of the car you are using

– Distance you travel by car

– Data generated by the car and/or the MyAvis mobile app, such as location, driving habits, speed

– Information about your use of our website, MyAvis mobile app and Cars (including your driving and location history)

– Browser/phone type and version

– Fuel level in the car

– Using your fuel card

– Your preferred settings

Purposes and legal basis for processing the data used:

– Provision of the services set out in the terms and conditions. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

– Providing service-related support. The legal basis for such use is the performance of a contract (Article 6(1)(b) GDPR).

– Compiling statistics and analysing user data (including information on identified deficiencies) to maintain and improve the Services. The legal basis for such use is our legitimate interest (Article 6(1)(f) GDPR).

– Protecting our assets using GPS data to locate cars. The legal basis for this use is our legitimate interest (Article 6(1)(f) GDPR).

Marketing data

– Whether you have consented to the processing of your data for marketing purposes.

– Details of the channel through which you wish to receive marketing information (email, mobile phone or both).

Purposes and legal basis for processing marketing data:

– marketing our services and products. The legal basis for such use is your consent (Article 6(1)(a) GDPR).

2.2. Services requested by legal entities

When our services are ordered or payment for a user is arranged by a legal entity (e.g. through a business account provided by the legal entity) for use by its employees or other persons selected by the legal entity, we collect and process the same information about the actual users of the services as described in Section 2.1. As each user is subject to the Terms and Conditions, we have a direct relationship with the users and the processing is based on the same lawful basis as described in section 2.1.

In the case of legal persons, we additionally collect the following information:

– Company name

– Company code

– VAT payer code

– Name, surname, telephone number and email address of the person representing the legal entity responsible for the performance of the contract and the administration of the service user information (hereinafter referred to as the legal entity representative)

In this case, we process the personal data of the representative of the legal entity in order to communicate with the client (i.e. the legal entity) in the course of providing the services agreed with the client. The legal basis for such processing is our legitimate interest (Article 6(1)(f) GDPR) – it is necessary for us to communicate with the legal person and, if you are the representative of the legal person, we assume that the legal person has informed you of your appointment as a contact person and that there is therefore a balance of interests and that we are not infringing on your interests, rights and freedoms. Where the processing of personal data is based on legitimate interest, the data subject always has the right to object to such processing. If you object to such processing, we will inform our customer by asking for a new contact person or otherwise ask you to comment on your objection.

3. Disclosure of your data

Only employees who need access to your personal data to perform their job functions (on a need-to-know basis) have access to your personal data held by us. Outside our company, we may transfer your data to the following persons in the circumstances set out below and only to the extent necessary:

– For entities providing services to us: your data may be accessed by persons providing services to us and processing your data on our behalf (data processors), but only to the extent necessary for the provision of such services. This includes providers of the MyAvis websites and mobile app, maintenance, billing, payment services, driving licence checking services, debt collection companies and application service providers.

– To public authorities and public bodies (e.g. police, courts, data protection authorities): we will only disclose your data if and to the extent we are legally obliged to do so.

– To third parties involved in legal processes (e.g. lawyers, financial advisors, insurance companies): we may share or disclose your data if necessary to protect our assets and rights (including legal claims made for this purpose), to enforce our contracts, to defend ourselves against any third-party claims.

– Third parties in relation to damage caused by your use of the services, including but not limited to car park owners (public and private), debt collection companies.

– The legal entity whose business account you use or are authorised to use.

– To third parties in connection with corporate transactions: we may share your information with third parties in connection with a corporate transaction, such as the sale of our company, the issuance of new shares to investors, or the sale of the company’s business and/or assets to another company. Also, when setting up a joint venture, merger or other reorganisation.

As a general rule, your personal data is processed within the European Economic Area (EEA). However, if it is necessary to transfer data outside the EEA, we comply with the requirements of the GDPR governing such transfers.

4. Storage of personal data

We retain your data for the period of time set out in this clause and, if it is not possible to objectively determine the period of time, for the period of time necessary to achieve the purposes of the processing and to comply with the mandatory legal requirements described in these privacy terms. The criteria we use to determine the retention period for different categories of personal data are as follows:

– whether or not you are an active customer, how often you use our services or when you last rented a car;

– whether there are contractual or legal obligations that require us to keep the data for a certain period of time;

– whether there are any pending or threatened legal proceedings relating to your purchase of the Car Rental Service or otherwise relating to your relationship with us;

– whether a specific retention period is allowed under applicable laws, legislation or regulations;

– what were the expectations regarding data retention at the time the data was provided to us.

If you have not completed the registration process and/or your registration has not been confirmed, the personal data you provide for registration purposes will be stored for 2 months from the start date of the registration attempt.

If you have not used your account for 1 year and your account has been deactivated in accordance with the procedures set out in the Terms, your personal data will be retained until your account is deactivated, and after your account is deactivated, for a period of 3 years, unless we are required to retain certain personal data for a longer period of time by applicable law (e.g. accounting law).

We keep payment-related information for 10 years from the date of the invoice for our services, in accordance with applicable law.

If certain material containing personal data is used for internal and/or external investigations, the personal data contained in such material shall be retained until the conclusion of the relevant investigation.

GPS data is stored for 6 months from the date of creation.

If personal data is collected on the basis of your consent, such personal data will be retained for as long as your account is valid, unless you withdraw your consent.

In addition, we may process the data in an aggregated or personalised format, for example for analytical and statistical purposes and to improve and develop our services.

For more precise information about the storage of your personal data, please make a request to the email address specified in Section 1 of these privacy terms.

5. Your rights

We use automated decision-making, including profiling, to enforce the Terms (e.g. to ensure that payments are received for the services we provide to you, to make sure that you have a valid driving licence to use our services, to provide you with tailored direct marketing services – to only send newsletters to interested customers).

We may collect, analyse and process personal data using specific algorithms which may, in certain cases, affect your ability to access and use our services, i.e. if your driving licence is not valid or if you do not have sufficient funds in the payment instrument you have linked to your account, you may not be able to use our services.

If you disagree with an automated decision, you have the right to request that the applicable decision not be based solely on automated processing. If you wish to have an automated decision reviewed, please contact us using the contact details set out in section 1.

6. Your rights

Right of access – you have the right to know what data we hold about you (if any).

Right to rectification – You have the right to have inaccurate or incomplete personal data about you rectified.

Right to erasure – You have the right to request the erasure of your personal data under certain conditions, including where your personal data is no longer necessary for the purposes for which it was collected, or where your personal data was processed on the basis of your consent, but you wish to withdraw your consent, and there are no other reasons for processing your personal data.

Right to restrict processing – in certain circumstances, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. you have objected to the processing).

Right to object – you have the right to object to processing based on our legitimate interest. Upon receipt of such an objection, we will cease processing your personal data unless we can demonstrate compelling legitimate grounds for processing or for the establishment, exercise or defence of legal claims. You also have the right to object at any time to the processing of your personal data for direct marketing purposes. If we receive such an objection, we will stop processing your personal data for direct marketing purposes.

If you have given us your consent to process your personal data for certain purposes (e.g. direct marketing), you have the right to withdraw your consent at any time.

To exercise your rights, please submit a request to the email address set out in Section 1 of these Privacy Terms. We have the right to respond to your request within 30 days.

7. Right to lodge a complaint with the supervisory authority

If you would like more information about your personal data or to exercise your rights, you can contact us at the email address set out in Section 1 of these Privacy Terms.

If you consider that your personal data are being processed in breach of legal requirements, you have the right, without prejudice to any other administrative or judicial remedies, to lodge a complaint with a supervisory authority, in particular in the Member State in which you are habitually resident, where you work, or where the alleged infringement takes place. In Lithuania, this supervisory authority is the State Data Protection Inspectorate.

8. Changes to these privacy terms

From time to time, we may unilaterally modify these privacy terms, in particular in the event of a change in the law governing the protection of personal data or in our data processing practices. You will be notified in advance of any significant changes. The previous (archived) and updated and current version of the privacy terms can always be found on our website https://www.myavis.lt/lt/legal/policy/1